NITVAN
PRIVACY POLICY

The Identity Theft Resource Center (ITRC), as the primary grantor with the Department of Justice, Office for Victims of Crime, is the sole manager of the National Identity Theft Victims Assistance Network website. In accordance with state and federal laws the following is the privacy policy for the National Identity Theft Victims Assistance Network (NITVAN):

Your privacy is important to us. The National Identity Theft Victims Assistance Network, and the Identity Theft Resource Center, maintains a strict privacy policy. This privacy policy governs your use of the NITVAN website.

What information does NITVAN collect and how is it used?
NITVAN requests that you do not send us sensitive personal information such as Social Security numbers, dates of birth, crime reports, or any financial/medical account numbers. Any such information received by NITVAN will be immediately destroyed.

Website

The NITVAN website does not collect sensitive personal information from any consumer/victim/service provider.

User Provided Information: The website does have a Contact Us form for users to request assistance/information, but no sensitive personal information will be requested other than the user’s name and email.. If the user chooses to provide NITVAN with sensitive personal information via the Contact Us form, said information will be immediately destroyed.

Automatically Collected Information: In order to provide the best website experience, NITVAN website does not honor Do Not Track signal requests as this website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies,” which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.

Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please not that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Usage of Information

The NITVAN uses the information collected solely for the purpose of providing resources and information to parties seeking assistance with identity theft and/or identity related cybercrime.

Do third parties see and/or have access to information obtained by the ITRC?

Yes. We will share your information with third parties only in the ways that are described below:

We may disclose User Provided and Automatically Collected Information:

as required by law, such as to comply with a subpoena, or similar legal process;

when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;

with our trusted coalition leaders who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement.

for research or statistical purposes; however, individuals are not identified in the results of these studies.

with your express permission, we may share your information with the media or legislators who desire to contact and speak to individuals who have experienced particular identity theft abuses.

Data Retention Policy, Managing Your Information, Disposal
The NITVAN will maintain personal information collected via its Contact Us form in electronic form. Safeguards for the protection of electronic files include both hardware and software firewalls, use of SSL technology for all connections, verified IP for all connections, and discrete user tokens on each user machine, as well as user name and password protection. Information can include name, phone number, and/or e-mail address, and the information a user chooses to provide to NITVAN.

All other personal and non-personal information collected by the NITVAN are to be stored in electronic form on the ITRC file server, in an access controlled room, within the ITRC facility. They are protected by appropriate firewalls and intrusion detection. External access to the server is limited to secure VPN only.

ITRC has the ability to store user information for safekeeping indefinitely in a secure, locked storage unit housed in the same building as the ITRC offices. Data will be retained for a minimum period of three years and/or destroyed at the request of the user.

Children
We do not use the NITVAN website to knowingly collect data from or market to children under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at sarah@idtheftcenter.org. We will delete such information from our files within a reasonable time.

Security
We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees and contractors who need to know that information in order to operate, develop or improve our services. Please be aware that, although we endeavor to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches.

Changes
This Privacy Policy may be updated from time to time for any reason. We will notify you of any changes to our Privacy Policy by posting the new Privacy Policy here and informing you via email or text message. You are advised to consult this Privacy Policy regularly for any changes, as continued use is deemed approval of all changes. You can check the history of this policy by clicking here.

Your Consent
By using the NITVAN website or application you are consenting to our processing of your information as set forth in this Privacy Policy now and as amended by us. “Processing,” means using cookies on a computer/hand held device or using or touching information in any way, including, but not limited to, collecting, storing, deleting, using, combining and disclosing information, all of which activities will take place in the United States. If you reside outside the United States your information will be transferred, processed and stored there under United States privacy standards.

Contact us
If you have any questions regarding privacy while using the Application, or have questions about our practices, please contact us via email at sarah@idtheftcenter.org.
END OF PRIVACY POLICY

ITRC INTERNAL PRIVACY POLICIES AND PROCEDURES

Data Access

Access to data will be limited to those employees having a need for such data and that such employees shall be advised of and agree, in writing to comply with these regulations.

All contractors, subcontractors, and consultants requiring access to identifiable data will agree, in writing to comply with these requirements. At no time shall such contractors, subcontractors, and consultants be given access to identifiable data within ITRC without a need to know, and prior approval of the ITRC management.

Data Collection

This is data which is collected for the purposes of assisting general victims of identity theft. This shall consist of name, state of residence, phone number, and/or e-mail address. A street address may be collected for the purposes of mailing information to the individual to assist them with their case.

This is also data that is collected for the purposes of studies or research. Upon completion of gathering of data, the personal identifying information shall be separated and maintained in a secure manner. During the research phase, some individuals request to do media. At this time they volunteer their information, which is entered, as appropriate, into SalesForce. We do not release the victim’s information to the media. It is the policy of the ITRC to provide the media contact information to the victim so that the victim may initiate the contact with the media.

Any data automatically collected by the ITRC website or application is for the use and operation of said website and application. Information collected automatically by the ITRC website or application is not stored internally with the ITRC, but with third party vendors operating and maintain said website and application.

Data Disclosure

Any private person from whom identifiable information is collected or obtained shall be notified that such data will only be used or revealed for research or statistical purposes, or identity theft case management, and that compliance with the request for information is not mandatory and participation in the project or case may be terminated at any time.

All participants in the victim assistance program are in informed of the following:

All information provided is used to assist in providing proper guidance for the individual. The ITRC does not require city or street address of the caller. However, a city and street address may be collected for the purposes of mailing information to the individual to assist them with their case.

We do require that they provide the name of the state of residence so that we can give them correct information on their state laws and case options. The individual may or may not choose to supply the name of the city from where they are calling.

Persons being asked to participate in any ITRC conducted study are informed that giving their person information is entirely optional.

All participants in the collection phase of any ITRC conducted study will have all information that identifies the participant stripped from the working data for storage. This personal data is used only to contact those individuals from whom greater explanation is required for the study. It is then removed from the dataset.

Permission to share information / Data Transfer

Any person providing personal information, regarding any private person from which identifiable data is collected or obtained by the ITRC, either orally or by means of written questionnaire, shall be advised that the data will only be used or revealed

as required by law, such as to comply with a subpoena, or similar legal process;
when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement.
for research or statistical purposes; however, individuals are not identified in the results of these studies.
with private person’s express permission, we may share their information with the media or legislators who desire to contact and speak to individuals who have experienced particular identity theft abuses.

Requirements for Staff

Members of the ITRC will, at all times, ensure that the privacy of confidential information is maintained.

Data storage shall be maintained in accordance with current best business practices with all appropriate safeguards in place. At no time will any electronic storage devices be donated, traded, exchanged, shared or sold to any party, person or entity. Nobody will be allowed access to any area of the ITRC network or server domain without the express permission of a member of the management team. No ITRC personnel shall accept and/or connect any alien device to the domain without the expressed permission of the management team. All research data is maintained on the ITRC servers behind appropriate fire walls and security.

ITRC Staff and third party contractors also must sign the excerpt below upon joining the ITRC:

I, the undersigned, have read the ITRC privacy policy above and understand the necessity for maintaining privacy of personally identifying information. I have read and understand the requirements above as they relate to my handling of personally identifying information and hereby agree to comply with all respects and intents of the ITRC policy. I further understand that my personal accountability for proper handling of personally identifying information is a condition for my continued employment or business association with the Identity Theft Resource Center.

Security/Storage Details:

The ITRC will maintain personal information collected via its Call Center in electronic form using SalesForce, a database program specially designed for enterprise business services. The SalesForce database used by ITRC is accessible by ITRC staff and third party vendors for the specific purpose of case remediation only, and with permissions regulated strictly by individual login. Safeguards for the protection of electronic files include both hardware and software firewalls, use of SSL technology for all connections, verified IP for all connections, and discrete user tokens on each user machine, as well as user name and password protection. Information can include name, state of residence, phone number, and/or e-mail address, and in some cases city and street address.

All other personal and non-personal information collected by the ITRC are to be stored in electronic form on the ITRC file server, in an access controlled room, within the ITRC facility. They are protected by appropriate firewalls and intrusion detection. External access to the server is limited to secure VPN only.

Retention/Disposal

Because the ITRC undertakes an advisory role with victims of identity theft, and because the nature of this crime may require years for mitigation, victims have the expectation that ITRC will retain for safekeeping and future access any case information that may be of use to the victim’s case in the future. ITRC has the ability to store client files for safekeeping indefinitely in a secure, locked storage unit housed in the same building as the ITRC offices. Data will be retained for a minimum period of three years and/or destroyed at the request of the victim.

This summary of the ITRC’s privacy policies and procedures was drafted by the ITRC legal analyst Sam Imandoust in 2014 and reviewed by the ITRC President & CEO and a member of the ITRC Board of Directors.

Disclaimer

This website was produced by the Identity Theft Resource Center, under award # 2016-XV-GX-K004, awarded by the Office for Victims of Crime, Office of Justice Programs, U.S. Department of Justice. The opinions, findings, and conclusions or recommendations expressed in this document are those of the contributors and do not necessarily represent the official position or policies of the U.S. Department of Justice.